Last updated 2026-07-09

TL;DR
Auto dialers face $500 per call in TCPA statutory damages, rising to $1,500 if the violation is willful. To stay legal, you need prior express written consent before calling cell phones, DNC scrubbing no older than 31 days, calls only between 8 a.m. and 9 p.m. local time, an abandonment rate under 3 percent, and documented opt-outs. Getting one wrong draws a class action.
What makes an auto dialer subject to TCPA rules?
If your dialer touches a cell phone, assume the TCPA applies. The Telephone Consumer Protection Act (47 U.S.C. § 227) restricts the use of an automatic telephone dialing system, or ATDS, to call or text cell phones without consent. [1] That definition has been fought over in court for years.
The Supreme Court's 2021 decision in Facebook, Inc. v. Duguid narrowed it. The Court held that a system qualifies as an ATDS only if it has the capacity to store or produce numbers "using a random or sequential number generator." [2] That helped some businesses. It did not gut the law.
Here is the practical reality. Most predictive dialers, progressive dialers, and power dialers still qualify as an ATDS under how many courts read the statute. And even if your system somehow falls outside the ATDS definition, calling a number on the National Do Not Call Registry without a valid exemption is its own separate violation, with the same $500 to $1,500 per-call exposure. [1] The two legal tracks (ATDS rules and DNC rules) run in parallel. You have to comply with both.
Pre-recorded and artificial voice calls face a third track. They require prior express consent even to reach a residential landline for non-commercial purposes. [1] If your system drops voicemails or uses AI-generated voice, that rule lands on you directly. The FCC's 2024 declaratory ruling confirmed that AI-generated voices in robocalls require the same prior express written consent as any other prerecorded telemarketing call. [3]
So build your compliance stack from the assumption that TCPA applies. It almost always does.
What kind of consent does an auto dialer actually require?
TCPA consent comes in two tiers, and mixing them up is a common source of liability. Informational calls need one thing. Marketing calls need more.
For informational or non-telemarketing calls to cell phones (appointment reminders, fraud alerts, account notices), prior express consent is enough. That means the person gave you their number in a context that makes calling them reasonable. [1]
For telemarketing or advertising calls and texts to cell phones, you need prior express written consent. The FCC's rules at 47 C.F.R. § 64.1200 require the consumer to sign (electronically counts) a clear and conspicuous disclosure authorizing autodialed or prerecorded marketing calls. [4] The disclosure has to name your company, state that automated calls may go to that number, and make clear the agreement is not a condition of purchase.
A few things that do not count as valid consent:
- A phone number printed on a business card someone handed you
- A bought lead list where the original opt-in language never named your company
- A general terms-of-service checkbox buried in fine print
- Consent given to a different entity that later sold the lead to you
The FCC's one-to-one consent rule, from the December 2023 rulemaking, required that consent go to the specific seller making the calls, not to a lead aggregator. [9] That rule was challenged and the Eleventh Circuit vacated it in early 2025, so it is not currently in force at the federal level. The safer position has not changed: name your company explicitly in the consent language. Do that and you are protected no matter how the aggregation fight ends.
DNC consent works differently. A consumer can give a specific seller express written permission to call their DNC-registered number, and that permission overrides the registry. It has to include the number to be called and be signed by the consumer. [5]
How does DNC scrubbing work and how often should you do it?
Scrub your list against the National Do Not Call Registry no more than 31 days before you dial. That is the legal safe harbor. [5] The registry is managed by the FTC and holds more than 249 million registered numbers. [5] Both the TCPA and the FTC's Telemarketing Sales Rule require the scrub before you call.
The 31-day window is a floor, not a target. New numbers hit the registry every single day. If your campaign runs four weeks, a single scrub at the start means your list is fresh on day one and stale on day 32. Most compliance teams scrub weekly at a minimum. If you cycle through a list fast, scrub before every launch.
You also need an internal DNC list separate from the national registry. When a consumer tells you not to call, you have to honor that within 30 days and keep the number on your internal list for at least five years. [5] Your system has to suppress those numbers across every campaign, not only the one the person called about.
State DNC lists add another layer. States including Florida, Indiana, Louisiana, Massachusetts, Missouri, Oklahoma, Pennsylvania, Tennessee, Texas, and Wyoming run their own registries with rules that differ from federal. [6] Florida's law, amended in 2021, is the aggressive one, restricting unsolicited calls to residents whether or not a TCPA violation exists. [10]
Here is how the key scrubbing rules compare:
| Requirement | Federal (TCPA/TSR) | Florida (FTSA) | Texas (TNSOPS) |
|---|---|---|---|
| Registry scrub window | 31 days | 30 days | 31 days |
| Internal DNC honor period | 30 days | 30 days | 30 days |
| Internal DNC retention | 5 years | 5 years | 5 years |
| Calls allowed per day per number | Not specified | Not specified | 3 per 30 days |
| Private right of action | Yes | Yes | No (AG only) |
Do not skip state checks. Florida's Telephone Solicitation Act created a private right of action, and plaintiffs have used it hard since the 2021 amendment. [10]
What are the call time restrictions for auto dialers?
Federal rules bar autodialed or prerecorded calls to residential numbers before 8 a.m. or after 9 p.m. in the called party's local time. [4] That is the consumer's time zone, not your dialing center's. Get this backward and you generate violations without meaning to.
Work through it. If you call from Eastern time into Mountain time, 8 p.m. your clock is 6 p.m. theirs. Fine. Call from Eastern into Pacific at 8 p.m. and it is 5 p.m. there. Also fine. The danger runs the other direction. Call at 7 a.m. Eastern to someone one zone behind you and you just dialed at 6 a.m. their time. That is a violation.
Several states run tighter windows. California limits solicitation calls to 8 a.m. through 9 p.m., matching federal, but defines solicitation more broadly. Some states cut the window to 9 a.m. through 8 p.m. or narrower. [6]
Build time-zone logic into your dialer at the number level, not the campaign level. A campaign that spans multiple states has to suppress dials outside the lawful window for each individual number's local time. A dialer that cannot scrub time zones at the number level is not a dialer you should run compliant outbound on. Replace it.
What is the call abandonment rate rule and why does it matter?
The FTC's Telemarketing Sales Rule caps abandoned calls at 3 percent of calls answered by a live person, measured per campaign per day. [7] An abandoned call connects to a live person and then drops or sits in silence because no agent was free. Both the TSR and the FCC's TCPA rules address them. [4][7]
When a call is abandoned, the dialer has to play a recorded message that identifies the call as coming from a legitimate business, states the business name and phone number, and tells the consumer how to get on the internal DNC list.
Abandonment rates matter for practical reasons too. They drag down answer rates over time. They generate complaints. And they signal to class action attorneys that a company is running high-volume autodialed campaigns without enough agents to staff them. A plaintiff who got an abandoned call and can show your rate topped 3 percent has a clean TSR violation to build a case on.
Run a predictive dialer at high pacing to keep agents busy and you will spike above 3 percent unless you watch it. Most modern dialers let you set a hard abandonment cap. Set it. Check it daily.
How should you document consent and keep records for TCPA defense?
Your records are your defense. In TCPA litigation, once a plaintiff shows they got an autodialed call, the burden of proving consent shifts to the company that made it. [1] If you cannot produce the consent record for a specific number at a specific date and time, you are in a bad spot fast.
What a solid consent record holds:
- The exact form or landing page the consumer used, with timestamp and IP address
- The full consent disclosure text as it appeared at that moment, more than the current version
- The consumer's electronic signature or affirmative click
- The phone number provided, mapped to the individual
- How the lead reached your CRM, including lead source documentation
Store all of it in a system that is tamper-evident and can pull records quickly under a legal hold. Companies lose cases not because they lacked consent but because they could not retrieve and present it. That failure is entirely avoidable.
Retain consent records for at least four years, the federal TCPA statute of limitations, and longer where state limitations run longer. Some states let claims reach a few years past the federal period depending on how they are structured.
Buy leads from a third party? Get a contractual representation that the leads carry valid, documented prior express written consent for your specific company and use case. That will not turn a bad consent record into a good one. It does create a contractual indemnification path if the seller lied about consent quality.
The Credit One TCPA settlement shows how large these totals get when a company calls at scale without airtight documentation.
What should your caller ID and disclosure practices look like?
TCPA and TSR rules require live telemarketers and prerecorded messages to transmit a caller ID number the called party can use to call back or opt out. [7] The number has to be one that can actually receive calls, or you have to give a valid callback number during the call itself.
The STIR/SHAKEN framework, mandated by the FCC under the TRACED Act, requires terminating carriers to verify the authenticity of caller ID. [3] Calls failing verification show as "Spam Likely" or get blocked at the carrier level. When that happens, either your originating carrier is not signing your calls properly or your calling pattern is tripping spam thresholds.
A few concrete steps:
Register your numbers with the major analytics providers (Hiya, First Orion, TNS). These feed the "Spam Likely" labels on consumer phones. If your numbers have high complaint rates, register them with a business identity so they display your company name instead of a warning.
Skip the number-rotation tactics built to dodge spam detection. The FCC and FTC both treat deliberate spoofing or identity obfuscation as evidence of bad faith. Courts have used it to find willfulness, which is exactly how you jump from $500 to $1,500 per call.
For prerecorded calls, the message has to identify the business on whose behalf the call is made and give a phone number during the message. [4] The opt-out has to be immediate: a key press or callback that drops the number onto your internal DNC list.
How do you build a practical compliance checklist for your dialing operation?
Most compliance failures are operational, not legal. The law is reasonably clear. The failure point is a process that runs fine in a spreadsheet and falls apart at volume. Here is what a working compliance stack looks like for a small or mid-size outbound team.
Before the campaign launches: 1. Verify consent records exist for every number, and that the consent language names your company. 2. Scrub against the National DNC Registry (no older than 31 days). [5] 3. Scrub against any applicable state DNC lists. 4. Scrub against your internal DNC list. 5. Apply time-zone tagging to every record. 6. Confirm your dialer's abandonment cap is set at or below 3 percent. [7] 7. Verify caller ID transmission works and STIR/SHAKEN is signed.
During the campaign: 1. Monitor the abandonment rate daily. 2. Log every opt-out the same business day and suppress the number immediately. 3. Review consumer complaints that come back through your caller ID number.
After the campaign: 1. Add all opt-outs to the internal DNC list with timestamps. 2. Archive consent records and call logs. 3. Run a post-campaign audit if abandonment topped 3 percent on any day.
LeadCompliant has a free TCPA compliance checklist and DNC checker that slots into the pre-campaign scrubbing step. The thing that makes any of this work is building the checklist into your CRM or campaign setup, not leaving it as a separate step someone can skip.
For how SMS fits the same stack, see our guide to text message marketing.
What do real TCPA auto dialer settlements tell you about where companies go wrong?
Settlement outcomes tell you more about real risk than any abstract framework. The same failures show up over and over.
UnitedHealthcare paid $2.5 million to resolve claims it placed autodialed calls to cell phones without proper consent. Cases like it repeat a pattern: lead lists bought from third parties without checking consent quality, consent language that never named the calling entity, and internal DNC lists that were not synced across every campaign.
The Albertsons/Safeway TCPA settlement came out of automated text messages. TCPA covers SMS exactly as it covers voice. A text sent via an ATDS to a cell phone without prior express written consent carries the same $500 to $1,500 per-message exposure.
The Truist Bank TCPA class action and the Cash App TCPA class action settlement both involved financial firms with real compliance teams. The lesson is not that they were reckless. It is that at high call volume, even a tiny defect rate in your consent records turns into thousands of actionable contacts.
Do the math. 100,000 calls at a 1 percent consent defect rate equals 1,000 potential plaintiffs. At $500 each, that is $500,000 in statutory damages before class counsel even asks for fees. Scaling calls without scaling consent verification and DNC hygiene in parallel is how you manufacture class action liability.
What are the specific rules for B2B auto dialer calls?
B2B calling is not the TCPA-free zone people assume, and that assumption has burned a lot of companies. The wireless restrictions turn on the type of phone, not the purpose of the call.
Call a cell phone that happens to be a business-use number and the TCPA still applies to autodialed or prerecorded calls. The FCC has never created a blanket B2B exemption for cell phones. [1] If your rep dials a prospect's direct cell with a predictive dialer, that call needs prior express consent unless the prospect has an established business relationship with your company and the call is not marketing.
The DNC Registry exemption for B2B is real but narrow. The TSR exempts calls where the seller has an established business relationship with the called party, or where the number is not residential. [7] Most business main lines are not residential numbers. But direct-dial cell numbers used by employees sometimes sit on the DNC, and calling them for telemarketing without consent or an EBR is a violation.
So here is the rule for a B2B team running a power or predictive dialer into cell numbers: get consent or a documented established business relationship for each number. Do not assume B2B means the rules do not apply. They do.
How do you handle reassigned numbers and wrong-number risk?
Phone numbers get reassigned constantly, and the consent does not follow the person. The FCC's Reassigned Numbers Database exists to help callers avoid dialing new subscribers on numbers they once had valid consent to call. [8] It launched in 2021 and updates monthly with permanently disconnected numbers.
The TCPA gives you no safe harbor for calling a reassigned number just because the prior subscriber consented. Courts have held that consent travels with the number, meaning it does not transfer to whoever holds the number next. [2] The "one free call" doctrine in some circuits gives you a single call after reassignment to catch the error before liability attaches. [11] Relying on that as a compliance strategy is not something any serious team does.
Scrubbing against the Reassigned Numbers Database before each campaign is cheap insurance. The subscription costs far less than defending one wrong-number suit. If your dialer vendor does not offer it, find a data provider that does.
One more habit. When a consumer says "wrong number" or asks who you are, add that number to your internal DNC list right away. Do not call it again until you have re-verified consent for the current subscriber.
What penalties and enforcement actions should auto dialer operators know about?
The TCPA gives every consumer a private right of action, meaning anyone can sue without going through a regulator first. [1] That is the main enforcement engine and the source of most exposure for outbound teams. Statutory damages run $500 per violation, trebled to $1,500 for willful or knowing violations. There is no per-plaintiff cap, and class actions stack individual claims into enormous numbers.
The FCC enforces the TCPA too, with fines up to $23,727 per violation under its rules, adjusted for inflation. [3] The FTC enforces the TSR's DNC provisions separately and has won multimillion-dollar judgments.
State attorneys general can bring TCPA actions as well. Florida's AG has been active since the 2021 FTSA amendments. [10] Texas runs its own telephone solicitation law with AG enforcement authority.
The statute of limitations for federal TCPA claims is four years. [1] That means a class action can reach four years back into your call records. Every dial you log today is potential evidence for four years.
For a concrete sense of how litigation plays out, the Kaiser TCPA settlement and the Joseph Snyder Credit One TCPA case both show how individual cases grow into larger settlements.
For ongoing changes, tracking TCPA news is the easiest way to stay current on FCC rulemakings and major case outcomes without reading every opinion yourself.
What should you look for in a TCPA-compliant auto dialer vendor?
A vendor's features do not decide your legal compliance. You do. But the right capabilities make compliance easy, and the wrong ones force manual workarounds that eventually break.
Features that matter:
Time-zone suppression at the number level, not the campaign level. Every number gets checked against its own local time before each dial.
Abandonment monitoring and capping. The system should let you set a hard 3 percent ceiling and alert you in real time as you approach it.
Internal DNC integration in real time, so a number suppressed in a morning campaign cannot be dialed by an afternoon one.
Call recording and logging. Every dial attempt, connect, and outcome logged with timestamps and dispositions. These records are your defense in court.
Consent timestamp and source integration, pulling consent metadata from your CRM so it is available to agents during the call.
Ask the vendor directly. Do you support Reassigned Numbers Database scrubbing? How often does your DNC integration update? What is your SLA for applying opt-outs to the suppression list? A vendor that cannot answer those fast has not built compliance into its product.
LeadCompliant's free DNC checker and compliance tools supplement any dialer stack for pre-campaign list hygiene, useful when a vendor's native DNC scrubbing lags.
Frequently asked questions
Does the TCPA apply to B2B calls using an auto dialer?
Yes, when the number dialed is a cell phone. The TCPA restricts autodialed and prerecorded calls to wireless numbers based on the type of number, not the purpose of the call. Calling a business contact's cell with a predictive dialer still needs prior express consent. The DNC exemption for established business relationships applies to the TSR's DNC restrictions but does not override the TCPA's cell phone consent requirement.
How often do I need to scrub my list against the National DNC Registry?
Federal rules require scrubbing no more than 31 days before each call. That is the legal floor. Most compliance teams scrub weekly or before every launch. Numbers are added to the registry daily, so a single scrub at campaign start leaves you exposed to new registrations as the campaign runs. Shorter intervals cut risk sharply, and re-scrubbing costs almost nothing next to a single TCPA claim.
What is the penalty for calling a number on the Do Not Call Registry?
Statutory damages under the TCPA are $500 per call to a DNC-registered number without a valid exemption, trebled to $1,500 if the violation is willful. The FTC can also impose civil penalties under the Telemarketing Sales Rule for DNC violations. State DNC violations carry their own separate penalties. In a class action, these per-call amounts aggregate quickly across every affected class member.
What is prior express written consent for TCPA purposes?
Prior express written consent is an agreement, signed electronically or on paper, where a consumer authorizes autodialed or prerecorded telemarketing calls to their cell phone. The FCC requires the disclosure to state clearly that the number may be called using an autodialer or prerecorded voice, name the specific company calling, and confirm consent is not a condition of purchase. A general signup or terms-of-service checkbox does not meet the standard.
Can I call someone who gave their number to a lead generation company?
Only if the consent specifically named your company. The FCC's one-to-one consent rule from the 2023 rulemaking required consent to go to the specific seller, not a lead aggregator, but the Eleventh Circuit vacated it in early 2025. The safe practice stands regardless: consent that named a third-party website does not give you valid TCPA consent to call for your own marketing. Name your company in the consent language.
What is the call abandonment rate limit for auto dialers?
The FTC's Telemarketing Sales Rule caps abandoned calls at 3 percent of calls answered by a live person, measured per campaign per day. When a call is abandoned, the dialer must play a message with the business name and a callback number. Exceeding 3 percent is a TSR violation independent of any TCPA issue and creates standalone liability. Most predictive dialers let you set a hard abandonment cap. Use it.
Do TCPA rules apply to text messages sent by an auto dialer?
Yes. The FCC has consistently read the TCPA's ATDS restrictions to cover text messages to cell phones, not only voice calls. A text sent using an autodialer to a cell phone without prior express written consent is a TCPA violation carrying the same $500 to $1,500 per-message exposure as a voice call. The Albertsons/Safeway TCPA settlement is one high-profile example applied to mass text campaigns.
What are the allowed calling hours for auto dialers under federal law?
Federal rules under 47 C.F.R. § 64.1200 prohibit autodialed or prerecorded calls to residential numbers before 8 a.m. or after 9 p.m. in the called party's local time zone. The time zone is the consumer's location, not the caller's. Some states set stricter windows. Your dialer must apply time-zone logic at the individual number level, not the campaign level, so it never dials outside permitted hours in any recipient's local time.
How long do I need to keep TCPA consent records?
The federal TCPA statute of limitations is four years, which sets the practical minimum for retention. Keep the full record: the form as it appeared at opt-in, timestamp, IP address, phone number, and consent text. Some plaintiffs' attorneys argue state statutes of limitations extend exposure further. Retaining records for five to six years is a conservative and reasonable practice for most outbound teams.
What is the Reassigned Numbers Database and do I have to use it?
The FCC's Reassigned Numbers Database is a monthly-updated database of permanently disconnected phone numbers. There is no mandatory legal requirement to scrub against it, but courts have rejected the argument that prior consent covers calls to a new subscriber after reassignment. Using it before each campaign is cheap risk reduction. A single wrong-number TCPA claim costs far more than an annual database subscription.
What must a prerecorded message include to comply with TCPA?
Under FCC rules, a prerecorded telemarketing message must state the name of the business on whose behalf the call is made, provide a callback phone number, and offer an automated opt-out that activates immediately. The opt-out must add the number to the company's internal DNC list within 30 days. For AI-generated voice calls, the FCC's 2024 ruling requires the same prior express written consent as any other prerecorded telemarketing call.
Does an established business relationship exempt me from DNC rules?
An established business relationship exempts sellers from the National DNC Registry requirements for up to 18 months after the last purchase or transaction, and 3 months after an inquiry. This applies to residential numbers on the DNC. It does not override the TCPA's separate requirement for prior express written consent before autodialed or prerecorded marketing calls to cell phones. The two rules run independently, so an EBR alone will not protect a cell-phone marketing call.
What states have their own DNC or auto dialer laws beyond federal rules?
Florida, Texas, Indiana, Oklahoma, Louisiana, Massachusetts, Missouri, Pennsylvania, Tennessee, and Wyoming maintain state DNC registries. Florida's 2021 FTSA amendment is the most aggressive, creating a private right of action for unsolicited calls to Floridians. California's CCPA and CPRA add consent and opt-out rights relevant to telemarketing. Texas restricts call frequency. Any team calling into multiple states needs state-specific scrubbing on top of the federal registry.
Can a consumer sue me directly for TCPA violations without going to a regulator?
Yes. The TCPA's private right of action lets any consumer file suit in federal or state court for each violation without complaining to the FCC or FTC first. This is why TCPA class actions are so common: plaintiffs' attorneys aggregate individual $500 to $1,500 claims across thousands of class members. No regulatory process is required and no warning is necessary. The lawsuit can be the first notice you get.
Sources
- U.S. House of Representatives Office of the Law Revision Counsel, 47 U.S.C. § 227 (TCPA statute text): TCPA creates a private right of action with $500 per violation in statutory damages, trebled to $1,500 for willful violations, and restricts ATDS calls to cell phones without consent
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed ATDS definition to systems that use a random or sequential number generator to store or produce numbers
- Code of Federal Regulations, 47 C.F.R. § 64.1200 (FCC TCPA implementing rules): FCC rules require prior express written consent for autodialed telemarketing calls to wireless numbers, prohibit calls before 8 a.m. or after 9 p.m. local time, require caller ID transmission, and set requirements for prerecorded message content
- Federal Trade Commission, National Do Not Call Registry: National DNC Registry contains more than 249 million numbers; 31-day scrub window required; internal DNC list must be honored within 30 days and retained for five years; written consumer permission can override DNC registration
- National Conference of State Legislatures, Telemarketing and Do Not Call Laws: Multiple states including Florida, Texas, Indiana, Oklahoma, and others maintain separate DNC registries and telephone solicitation laws with requirements beyond federal rules
- Federal Trade Commission, Telemarketing Sales Rule (TSR), 16 C.F.R. Part 310: TSR limits abandoned calls to 3 percent of calls answered by a live person per campaign per day; requires caller ID transmission of a callable number; establishes established business relationship exemption with 18-month and 3-month windows
- Federal Communications Commission, Reassigned Numbers Database: FCC launched Reassigned Numbers Database in 2021, updated monthly, to help callers identify permanently disconnected numbers and avoid calling new subscribers
- Florida Office of the Attorney General, Florida Telephone Solicitation Act (FTSA) summary: Florida's 2021 FTSA amendment created a private right of action for unsolicited calls to Florida residents and is among the most aggressive state-level telephone solicitation laws in the country
- U.S. Court of Appeals, Eleventh Circuit, Osorio v. State Farm Bank (one free call rule): Courts have established a one free call doctrine giving callers one contact after number reassignment to discover the error before further TCPA liability attaches